Add test cases for 'checkds no'

Add test cases for when checkds is disabled. Copy the test cases that would have resulted in a DSPublish or DSRemoved and make sure that with 'checkds no' the metadata is not set.
2025-08-31 06:25:31 +00:00 · 2023-03-28 14:35:57 +02:00
parent 6bb862d10f
commit a2735810d9
11 changed files with 90 additions and 2 deletions
--- a/bin/tests/system/checkds/ns2/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4.db.in
@@ -30,3 +30,7 @@ ns9.good			A	10.53.0.9
 $ORIGIN yes.dspublish.ns2-4.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN no.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns2.db.in
+++ b/bin/tests/system/checkds/ns2/ns2.db.in
@@ -33,6 +33,10 @@ $ORIGIN yes.dspublish.ns2.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9

+$ORIGIN no.dspublish.ns2.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns2.
 still-there			NS	ns9.still-there
 ns9.still-there			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns5-7.db.in
@@ -30,3 +30,7 @@ ns9.good			A	10.53.0.9
 $ORIGIN yes.dsremoved.ns5-7.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN no.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns5.db.in
+++ b/bin/tests/system/checkds/ns2/ns5.db.in
@@ -40,3 +40,7 @@ good				NS	ns9.good
 resolver			NS	ns9.resolver
 ns9.good			A	10.53.0.9
 ns9.resolver			A	10.53.0.9
+
+$ORIGIN no.dsremoved.ns5.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4.db.in
@@ -30,3 +30,7 @@ ns9.good			A	10.53.0.9
 $ORIGIN yes.dspublish.ns2-4.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN no.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2.db.in
+++ b/bin/tests/system/checkds/ns5/ns2.db.in
@@ -33,6 +33,10 @@ $ORIGIN yes.dspublish.ns2.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9

+$ORIGIN no.dspublish.ns2.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns2.
 still-there			NS	ns9.still-there
 ns9.still-there			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns5-7.db.in
@@ -30,3 +30,7 @@ ns9.good			A	10.53.0.9
 $ORIGIN yes.dsremoved.ns5-7.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN no.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns5.db.in
+++ b/bin/tests/system/checkds/ns5/ns5.db.in
@@ -40,3 +40,7 @@ good				NS	ns9.good
 resolver			NS	ns9.resolver
 ns9.good			A	10.53.0.9
 ns9.resolver			A	10.53.0.9
+
+$ORIGIN no.dsremoved.ns5.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns9/named.conf.in
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -87,6 +87,15 @@ zone "good.yes.dspublish.ns2" {
 	checkds yes;
 };

+/* Same as above, but with checkds disabled. */
+zone "good.no.dspublish.ns2" {
+	type primary;
+	file "good.no.dspublish.ns2.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds no;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.1    - With one parental agent
@@ -164,6 +173,14 @@ zone "good.yes.dspublish.ns2-4" {
 	checkds yes;
 };

+zone "good.no.dspublish.ns2-4" {
+	type primary;
+	file "good.no.dspublish.ns2-4.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds no;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.2    - With multiple parental agent
@@ -256,6 +273,14 @@ zone "good.yes.dsremoved.ns5" {
 	checkds yes;
 };

+zone "good.no.dsremoved.ns5" {
+	type primary;
+	file "good.no.dsremoved.ns5.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds no;
+};
+
 /*
 * 2.     Going insecure
 * 2.1    - With one parental agent
@@ -333,6 +358,14 @@ zone "good.yes.dsremoved.ns5-7" {
 	checkds yes;
 };

+zone "good.no.dsremoved.ns5-7" {
+	type primary;
+	file "good.no.dsremoved.ns5-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds no;
+};
+
 /*
 * 2.     Going insecure
 * 2.2.    - With multiple parental agents
--- a/bin/tests/system/checkds/ns9/setup.sh
+++ b/bin/tests/system/checkds/ns9/setup.sh
@@ -33,7 +33,7 @@ T="now-30d"
 Y="now-1y"

 # DS Publication.
-for checkds in explicit yes
+for checkds in explicit yes no
 do
 	for zn in \
 		good.${checkds}.dspublish.ns2 \
@@ -60,7 +60,7 @@ do
 done

 # DS Withdrawal.
-for checkds in explicit yes
+for checkds in explicit yes no
 do
 	for zn in \
 		good.${checkds}.dsremoved.ns5 \
--- a/bin/tests/system/checkds/tests_checkds.py
+++ b/bin/tests/system/checkds/tests_checkds.py
@@ -563,3 +563,26 @@ def test_checkds_dspublished(named_port):
 def test_checkds_dswithdrawn(named_port):
    checkds_dswithdrawn(named_port, "explicit")
    checkds_dswithdrawn(named_port, "yes")
+
+
+def test_checkds_no(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    zone_check(server, "good.no.dspublish.ns2.")
+    keystate_check(parent, "good.no.dspublish.ns2.", "!DSPublish")
+
+    zone_check(server, "good.no.dspublish.ns2-4.")
+    keystate_check(parent, "good.no.dspublish.ns2-4.", "!DSPublish")
+
+    zone_check(server, "good.no.dsremoved.ns5.")
+    keystate_check(parent, "good.no.dsremoved.ns5.", "!DSRemoved")
+
+    zone_check(server, "good.no.dsremoved.ns5-7.")
+    keystate_check(parent, "good.no.dsremoved.ns5-7.", "!DSRemoved")